Updates to Protected Critical Infrastructure Information Program

AGENCY:

National Protection and Programs Directorate, DHS.

ACTION:

Notice of public meeting.

SUMMARY:

The Department of Homeland Security (DHS) invites public comment on the Advanced Notice of Proposed Rulemaking (ANPRM) to update its regulation “Procedures for Handling Critical Infrastructure Information”. These comments may be used for potential revisions to the current regulation to strengthen and align the language to support the evolving needs of the critical infrastructure community and the cyber landscape.

DATES:

A series of listening sessions will be held on:

1. May 12, 2016 10:00 a.m. to 12:30 p.m. EST and 2:00 p.m. to 4:30 p.m. EST

2. May 17, 2016 10:00 a.m. to 12:30 p.m. EST and 2:00 p.m. to 4:30 p.m. EST

3. May 19, 2016 10:00 a.m. to 12:30 p.m. EST and 2:00 p.m. to 4:30 p.m. EST

Written comments must be submitted on or before Wednesday, July 20, 2016.

ADDRESSES:

The listening sessions will be held at:

• 1310 North Courthouse Road, 6th Floor, Arlington, VA 22201.

You may submit comments, identified by docket number DHS-2016-0032. To avoid duplication, please use only one of the following methods:

• Federal eRulemaking Portal: http://www.regulations.gov . Follow the instructions for submitting comments.
• Mail: U.S. Department of Homeland Security, National Protection and Progra.m.s Directorate, Office of Infrastructure Protection, Infrastructure Information Collection Division, 245 Murray Lane SW., Mail Stop 0602, Washington, DC 20528-0602.
• In person: Verbal comments are acceptable in person at the public listening sessions.

FOR FURTHER INFORMATION CONTACT:

Emily R. Hickey, Deputy Progra.m. Manager, by phone at (703) 235-9522 or by mail at Protected Critical Infrastructure Information Program, Office of Infrastructure Protection, Infrastructure Information Collection Division, 245 Murray Lane SW., Mail Stop 0602, Washington, DC 20528-0602.

SUPPLEMENTARY INFORMATION:

Abbreviations and Terms Used in This Document

ANPRM—Advance Notice of Proposed Rulemaking

CFR—Code of Federal Regulations

CII—Critical Infrastructure Information

CII Act of 2002—Critical Infrastructure Information Act of 2002

DHS—Department of Homeland Security

PCII—Protected Critical Infrastructure Information

I. Background

DHS receives sensitive information about the nation's critical infrastructure through its congressionally-mandated PCII Program. The PCII Program provides a secure environment for the private sector, government analysts, and other subject matter experts to share information that is vital to addressing concerns across all critical infrastructure sectors. The Critical Infrastructure Information Act of 2002 (Secs. 211-215, Title II, Subtitle B of the Homeland Security Act of 2002, Pub. L. 107-296) (CII Act of 2002) established the PCII Program, which assures owners and operators that the information they voluntarily submit is protected from public disclosure. In accordance with the CII Act of 2002, on September 1, 2006, DHS issued the PCII Program Final Rule (71 FR 52271, codified at 6 CFR part 29). This rule established procedures that govern the receipt, validation, handling, storage, marking, and use of critical infrastructure information voluntarily submitted to DHS. The procedures are applicable to all Federal, State, local, tribal, and territorial government agencies and contractors that have access to, handle, use, or store critical infrastructure information that enjoy protection under the CII Act of 2002. After 10 years of operation, changes are needed to transition the managing of submissions, access, use, dissemination and safeguarding of PCII to state of the art technology that operates within an electronic environment.

II. Scope of Listening Sessions

DHS is interested in obtaining recommendations for program modifications, particularly in subject matter areas that have developed significantly since the issuance of the initial rule; however, DHS has particular interest in hearing comments regarding: (1) Automated submissions and an expansion of categorical inclusions, (2) marking PCII, (3) sharing PCII with foreign governments, (4) regulatory access, (5) safeguarding, (6) oversight and compliance, (7) alignment with other information protection programs, and (8) the administration of PCII at the State, local, tribal, and territorial level.

Additionally, DHS seeks comment on the economic impact of transitioning the PCII Program to a preferred electronic environment that: (1) Enhances the submission and validation process for critical infrastructure information, (2) uses state of the art technology for an automated interface for quicker access and dissemination of PCII, (3) modifies requirements for the express and certification statements; (4) expands the use of categorical inclusions; (5) requires portion marking of PCII; and (6) implements specific methods to capture and deliver metadata to the PCII Program.

III. Written Comments

A. In General

DHS invites all interested persons, even those who are unable to attend the listening sessions, to submit written comments, data, or views on how the current PCII Program regulations, codified at 6 CFR part 29, “Procedures for Handling Critical Infrastructure Information,” might be improved. Comments that would be most helpful to DHS include the questions and answers identified in Part II of this document. Please explain the reason for any comments with available data, and include other information or authority that supports such comments. DHS encourages interested parties to provide specific data that documents the potential costs of modifying the existing rule requirements pursuant to the commenter's suggestions; the potential quantifiable benefits including security and societal benefits of modifying the existing regulatory requirements; and the potential impacts on small entities of modifying the existing regulatory requirements.

Written comments may be submitted electronically or by mail, as explained previously in the ADDRESSES section of this ANPRM. To avoid duplication, please use only one of these methods to submit written comments.

Except as provided below, all comments received, as well as pertinent background documents, will be posted without change to http://www.regulations.gov,, including any personal information provided.

B. Handling of Proprietary or Business Sensitive Information

Interested parties are encouraged to submit comments in a manner that avoids discussion of trade secrets, confidential commercial or financial information, CII or PCII, or any other category of sensitive information that should not be disclosed to the general public. If it is not possible to avoid such discussion, however, please specifically identify any confidential or sensitive information contained in the comments with appropriate warning language (e.g., any PCII must be marked and handled in accordance with the requirements of 6 CFR part 29 §§ 29.5-29.7) and submit them by mail to the PCII Program Manager listed in the FOR FURTHER INFORMATION CONTACT section.

DHS will not place any confidential or sensitive comments in the public docket; rather, DHS will handle them in accordance with applicable safeguards and restrictions on access. See, e.g., 6 CFR part 29 §§ 29.5-29.7. See also the DHS PCII Procedures Manual (“Protected Critical Infrastructure Information Program,” April 2009, located on the DHS Web site at www.dhs.gov/protected-critical-infrastructure-information-pcii-program ). DHS will hold any such comments in a separate file to which the public does not have access, and place a note in the public docket that DHS has received such materials from the commenter. DHS will provide appropriate access to such comments upon request to individuals who meet the applicable legal requirements for access of such information.

IV. Listening Sessions

A. Purpose

DHS will hold listening sessions on how the current PCII Program regulations, codified at 6 CFR part 29, “Procedures for Handling Critical Infrastructure Information,” might be improved.

B. Procedures and Participation

These meetings are open to the public. The listening sessions will be made available online via webinar and can be accessed through the following link, https://share.dhs.gov/pcii-training/,, at the beginning of each listening session. Additionally, there will be a conference bridge made available so members of the public can dial into the listening sessions for audio. The conference bridge phone number for all the 10:00 a.m. to 12:30 p.m. EST listening sessions is 1-800-369-1912 followed by entering the participant passcode: 3922843. The conference bridge phone number for all the 2:00 p.m. to 4:30 p.m. EST listening sessions is 1-888-790-1952 followed by entering the participant passcode: 1933978. There are no fees to attend any of the listening sessions. DHS will do its best to accommodate all persons who wish to make a comment during the listening sessions. DHS encourages persons and groups having similar interests to consolidate their information for presentation through a single representative.

The listening sessions are intended for technical experts, who have a cyber, security, regulatory or other background to discuss the proposed topics regarding updates to the PCII Program at an expert level. However, individuals who are not technical experts (or who do not meet the other criteria) may still attend and participate in the meeting. The listening sessions are intended to afford the public an opportunity to provide comments to DHS concerning the PCII Program and updating its current regulation. For the listening sessions, comments are requested not to exceed four minutes at a time to enable all interested attendees an opportunity to provide comment. Should time permit, commenters who need additional time may be invited to complete their comments. The listening sessions may adjourn early if all commenters present have had the opportunity to speak prior to the scheduled conclusion of the session. Participants who speak will be asked to provide their name, title, company and stakeholder segment. The listening sessions will be recorded to support the note-taking effort. Notes from the listening sessions, including the webinar materials, will be posted at http://www.regulations.gov . DHS will place a transcript of the listening sessions in the docket for this rulemaking.